[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[coreutils] [PATCH] sort: fix very-unlikely buffer overrun when merging

From: Paul Eggert
Subject: [coreutils] [PATCH] sort: fix very-unlikely buffer overrun when merging to input file
Date: Tue, 14 Dec 2010 11:14:15 -0800
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/20101208 Thunderbird/3.1.7

This bug has been there for ages, I think.  It's unrelated to
the other bugs recently discussed, but I found it by code inspection
while looking into the other ones.  I don't see any practical
way to test for it.  I pushed this:

* src/sort.c (avoid_trashing_input): Fix a typo that could cause a
buffer overrun in theory.  In practice this is extremely unlikely,
as it requires running out of file descriptors in a small merge,
presumably because some other process is hogging all the OS's file
 src/sort.c |    5 ++---
 1 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/src/sort.c b/src/sort.c
index 63162ea..3321ddb 100644
--- a/src/sort.c
+++ b/src/sort.c
@@ -3613,9 +3613,8 @@ avoid_trashing_input (struct sortfile *files, size_t 
               files[i].name = temp;
               files[i].pid = pid;
-              if (i + num_merged < nfiles)
-                memmove (&files[i + 1], &files[i + num_merged],
-                         num_merged * sizeof *files);
+              memmove (&files[i + 1], &files[i + num_merged],
+                       (nfiles - (i + num_merged)) * sizeof *files);
               ntemps += 1;
               nfiles -= num_merged - 1;;
               i += num_merged;

reply via email to

[Prev in Thread] Current Thread [Next in Thread]